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(54) Title: COMPUTER SOFTWARE AUTHENTICATION. PROTECTION, AND SECOTUTY SYSTCM 

(57) Abstract 

A software-based con^>uter security enhancing 
process and graphical softw^re-audioiticity method, 
and a method to apply aspects die two are dis- 
closed. The process provides protection against cer- 
tain attacks on executable soltn^ by persons or other 
software used on the computer. Software using diis 
process is protected against eavesdropping (the mon- 
itoring of software, applications, the operating sys- 
tem, disks, keyboard, or other devices to rcconl (steal) 
identification, autitentication or sensitive data such as 
passwords, User-ID's. credit-card number and expiry 
dates, bank account andPIN numbeis, smart-card data, 
biometric informadon (for example: die data compris- 
ing a retina or fingerprint scan), or encryption keys), 
local and remote tampering (altering software to re- 
move, disable, or compromise security features of 
die altered software) examination (viewing die exe- 
cutable program, usually widi the intent of devising 
security attacks iq>on it), tracing (observing die op- 
erating of an executable piograro stq>-by-step), and 
spoofing (substituting counterfeit software to onulate 
the interface of authentic software in order to sub- 
vert security) by rogues (e.gj Ttojan Horses. Hack- 
ers, Viruses, Terminate-and-stay-rcsida)t programs, 
co-resident software, muld-lhrcaded operating system 
processes. Worms, Spoof p rogr am s, key-press pass- 
word captures, macro recorders, sniffers, and other 

software or subversions). Aspects include executable ^ ig.,^ ^ 5o 

encryption, obfuscation, and-tradng, anti-tamper and ^"^ ^ . ^JS^ ^ 

self-verification, runtime self-monitoring, and audiovisual authentication (math, enoyption. and graphics based mediod permitting users to 
immeduitely recognise die audienticity and integrity of software). The figure in die specification depicts die many components and dieir 
interacticm. 
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CoMPUiER Software Authentication, Protection, And Security System 

BACKcmouND Of the invention 

5 Tbe present inventiaa relates to a conqiuter program having enhanced security features, and 

also to a system and niediodfer enhancing ft e security fealiuesc^ bi particular, 

the pres9it invention relates to such a program, and die systm and method for oieatmg the program, 
having increased security features to prevent ID-Data (as defined hereafter) eavesdropping and/or theft 
and/or to ensure audientidty. 

10 

Description Of the prior Art 

Computers are becoming widely i n terT C CTin ected and heavily rdied upon to process and store 
sensitive information. The risk of unaudiorised access to computers and information has inoreased 
widi tfiis mcieased uitetcounecttvity. 

15 Kfany security advances eTust in the areas ofidentification& authentication of 

cryptogr^y, virus prevention, and tiie like, however - ahnost all of these advances ultimately rely 
up<m computer software. Most con^)uter systems are, or are accessed by, small personal coiiq>uter5, 
aiKl most software used on these personal conq)uters is susceptible to "local attadcs** - attacks vAndi 
are mounted fiom insicfe said personal c(Hiq>uters against said software by other software or peq>le. 

20 Passwords, User-ID's, credit-card numbers and e?q>iry dates, bank account and PIN numb^, 

smart-card data, bicmiecric information (for exanqyie: the data con:q)rising a retina or fingerprint scan), 
oyptogr^riuc keys, and tibe like are all exanqples of identification, authentication or similar data vriiidi 
is eidia- sensitive in itsdf, orinay allow access to sensitive, restricted or odier information or services. 
Hereafter, tibe term ID-Data will be used to refer to fiie abovementioned identification, authentication 

25 or similar data, excluding DO-Data \^cfa is vaUd only for a single use, ori^cfa is designed to expire 
at regular int^vals of less than two minutes. 

Illegal access to coaiq>ut^ system infi>rmation can be obtained by eliciting various security 
flaws found in computer software products. A common flaw is die suscqitibility of said software to 
tiie theft of ID-Data other directly fiom said software as it executes, or finom the operating system or 
30 hardware on vMdk said software is executing. AnoAer common flaw is the suscqitibility of said 

software to ill^al modification. Such modifications may rsnove, disable, or conq^rornise the security 
features of said software. 

Viruses, Tenninate-and-stay-resident programs (TSRs), co^esicknt software, multi-threaded 
opiating system processes, Trojan Ifarses, Worms, Hack^, Spoof progran^, key-press password 
35 capturers, macro-fecontes, snifTers, and the like can be eGfecttve at stg^Hi^g ID-j)ata and are 

exanqiles of (a) n^ue software or (b) people capable of subvrating security software or (c) software 
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vriucfacanbeccn%uiedfi>riU^:itimatepu^ Hereafter, the tenn rogue sofhvarei^ 
lefe to software or subvmions such as the abovementioDed (a) (b) and (c), used fiyrthe poipose of 
stealmg ID-Data. The defaiitiop of osn^ tsrm "rogue safftwaTe'* m/h«a iiyed hgfipin also indndes 
sc^h^^STccK-cSher means used to tanq>^wi^ The tenntan;)mng is defined heieafter. 

5 There aie many ways to introduce rogue software into a conqiuters Viruses spread 

aiitinmatic ally by i ntr o dticin g thems dves. Trgpa-ffarses am n gially mt Tp ^faCTfj ^ t"<^ *»g 'mm^ 
allowing than to execute (gicfa as by masqueradrng as a new or welUnown coo:9)uter game or other 
product). Eidsting security problems may be utilised to introduce log^ 
problems inchide Java bugs, errors, ca oveisi^its, inefifecttve idiysical security (fixr exanq>le: 
10 permitting rogue software to be introduced directly on flof^didc by an intrude 

fttfadhiikiiU which automati cally execute or execute aft^ a sinq>le mouse-chck, incorrect security 
settings on intan^ wmld-wide-web, TCP/IP <»* modems, and tanqimng (see definitioa hmafier) with 
I ntimat e software in-transit as it flows from remote internet sites into a users conq^uter, to name a 
few. 



IS I^Pgue software, once introduced, can steal ID-Data as meationedheranbefore. It may monitor 

kByboani(fi»^ example: by reocmh^g every key, as tfie user presses each one, in order to steal a 
password as it is bdi« typed in), serial-port, niouse, screen, or od^ 

from them. It may monitor other software, an>lications, the operating systm, ch- disks to steal ID- 
Data from thoe also. Once stolen, this ID-Data may be stored locally (fin- exanq>le: in manory or 
20 disk) or tr ansmitte d to remote tocatioos (fi^ exanq>le: by modem or network) or used immediatdy to 
p^fiirm iO^l operations. Hmafter, the tenn eavesdropping wiU be used to refer to the monitoring 
of a computer to record ID-Data. 

For example, a key press records could secr^, and unbdmown to the coaq>uter user, record 
all the keys pressed by the user into a hidden systons file. The infinmatioo recmied couM inchide a 
25 user's password ami oAer sensitive infinniation which an organisation vvoold 
protect. 

AcU^imally, rogue software niay ronove, disable, (»r oonq)romise e?^^ 
securky features by nKxliQmigtiienietttCHy,didc,cffodier image of Rogue 
software may also iAilisetanq>ermgtBdmiques to ait^ existing conqntt^softw 
Data from it> or may attach itself to existing computer st^ware (as is the case with man y ww y ^ft^ 

viruses). Hereafi^, die term tanipermg win be used to refa^ to the abovenuntioned 
computer software. Tampering may take place eidi^ locally (widiin a users PC) (h* remotely 
exanq>le: at one ofthe points i^cfa a con^ut^ program passes throu^ as it is being download). 

Further, countafeit software can be subshtnferi frtr byyimatf^ fwftwarp The counterfeit will 
3S appearrealtoacoaqnteuser, but actually acts to subviort security, such as 1^ 

Sometimes called "Spoof* programs or Trqan Horses, count^^ software of this type nuiy invoke 
die original legitimate software after having stden ID-Data, so as not to arouse a users suspidon. 



30 



Another potential security flaw feimd in coofmter software pn)ducts is suscqiti^ 
e x a mination and reverse^enginemng. Known (but genmliy secret) and other security problems or 
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ffiigralrt»c can be discovered by hackers and the like fiom the examination of existing oooputer 
software and by tracing its operation. 

Addftionally, Coo^uter software piracy is a growing problem, and the existing wspie means 
which prevent this problem (mch as registration or s^ial numbers and custoaner-names being encxxied 
5 wtfliin die product) are becoming less eflfective. 

Tbere is necessity within the try4)eKne^you4y^ 
effective features ^diidi aDow old software to expire without fi^ 
eoqmy features and for secure registratioa of software to be pro^^ 
untock^oodes. 

1 0 There is also need fiif software to be d>le to prevent security attacks upm itself (ie: tanq>OTig) 

and upon its own attadc-detection code. Thare may also be a future need fiM* software to identify die 
attacker fofr subsequent prosecution. 

Thiae also exists cases whare untanQ>erable software usage n^tering may be desiral^ and 
wheve eflbctive passwofdrprotection of software execution may als^ 

IS Knonm advances in certain areas of Gonqniter security have been succ 

There ha ve been some advances in anti*virus tedmolc^ vriiid h^ 

problems. Th^ have been numerous advances in hardware-assisted computer security add-ons and 
devices, such as smartcards and biometnc input devices . There have been advances in cryptographic 
tedmiques. Generally, all of these advances require audientic, un4anf>ered-wdi con9>uter software in 
20 ordo-towofk. There have been rdativdy few advances in software-based integrity self^iied^ 
tanqier protectionX and no prior software-based advances in preventing eavesdropping or die 
electronic theft of ID-Data, and no prior software-based advances in sdf-auth^ 



Summary Of The INVENTION 

25 Tliis invention describes a process v^^iidi substantiaUy enhances the security of conq>uter 

software O^ereafier refered to as the inqiroved process) and a mediod by iMdiich to apply said 
in;)roved process Qieteafter referred to as the qypBcfltor). 

The inproved process consists of inchKhng ccmqjut^ 0^ 
said oontiputer software, and conq^uta- cocte to prevent die Aeft of ID-Data by replaciog existing 
30 vuboabte (to n)gue software eavesdropping or attack) software or opiating system code wtt^ 
equivalents iiriiich utilise anti-^y techniques (as described latar m 

PreferaUy, the improved process also consists of including ccmqsuter code to prevent de- 
compilation, reverse-engineeripg, and disassembly bylhe inclusion of drfuscating code inserts, and the 
use of executable encryption. 



35 



PrefaaUy, Ae inq>roved process also consists of inchiding code to prevent execution-tracing 
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and delnigging by die use of code designed to detect and pi^^ 

Prefeably, the mq>ioved process consists of, oralso indudes, human-recognisable audio-visual 
conqxneotsin^chpOTmt the authenticity of »id coaq)utCT software to be easily verified by the user 
on each invocation using techniqites desoibed later in this document . 

5 The idea which lead to the oeationoftfus invention can be sunmmised as fo Ifapiece 

of oon^uta^ software that is executing can be sliown to be tte genuine aitide» and diis software can 
protect itself against eavesdropping, and Ais software can prevent tampering of itseb^ then is it 
possible far this software to function in a secure manner, even widiin an insecure operating system . 
This invention pennits the oeation of such a piece of c(Hq)ut^ software - ha^ 
10 security advantage and hence inq>roving its vahie. 



Brief Description Of The Drawings 

F^.l iUustrntesAestandanlopenaionofa computer system known in tte 

Fig.2 illustrates the known operation of a rogue or "spoof program^ 
IS Fig^ilhistratesappbcation code tqxlated with the pref^^ 

Fig.4 illustrates the known operation of a rogue eavesdropping program; 

Fig.5 illustrates the interaction of ftie conqxnents of the iq>dated q>pIication; 

Fig.6 illustrates ftie general structure of the preferred embodiment of the sq>plicator; 

Fig.7 illustrates a standard layout fixr a program to be executed on a conq>uter system; 
20 Fig.8 ilhistrates Ae standard layout of an EXE header under the MS-DOS operating system. 

Fig.9 illustrates a stsmdard layout of an EXE program under MS-DOS; 

Fig. 10 iltustr^es an altmd executable form constructed in accordance with the specific embodiment; 
Fig. 1 1 illustrates a first stage of execittion of the new.exe executable; 
FigJ2 ilhistrates a second stage of execution of die new.exe executable fille; 
25 Fig.13 ilhistrates a third stage of execution of the new.exe executable file. 

Detailed Description Of Preferred Embodiments 

As will be desoibed hmmafto*, fte present invention has general ^^licability to many 
di£Eerent operating systems jnchuting Mioosoft DOS (Trade Mark), Apple Madntodi Opmting 
30 System, Unix (Trade Mark) etc. 

Described hoeafter are several security-enhancing techniques to con 
Security is provided by (a) hankering examination of software-code or opmting system code or parts 
thaneof through the use of tfie encryption or partial enciyption of said code, (b) p reve n tin g the 
disassen^ly of said code through die inclusion of dummy instructions and prefixes and additional code 
35 to mislead and hamp^ disassembly (ie: obfiiscating insets), (c) preventing the computerised tracing of 
the execution of said code (for exaiq>Ie; with code debugging tools) throu^ the use of instructions to 
detect, mislead, and hantq>a^ tracing, (d)preventingtanq)eringof said code duough the use of scanning 
to locate alterations, either or both on-disk and in manory either once at the start of execution, or 
contitmiously upon certain events, or (e) preventing ID-Data theft duougli the incfaision of secure 
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nq>ut/(Wtput routines (for exanq)le: footmes to bypass the standard operating system keyboard calls 
and use costom-writto) hig^-security routines as a replacement) to replace insecure computer- 
system routines. Haeafi^,tfietamanl»-q»ymUbeusedtorefotoanycGsnbina 
of the abovementkoed tedmiques [(a) tfaioug^ (e) or parts tfamoQ used to prevent eavesdropping 

5 RefbiingiiowtoFigJtlimisilhistiatedtfae 

executable program 16, underlie control of a oon^mteropera^ hAe 
prefened embodiment of Represent inventiaa^tbe executable progn^ 16 is subjected to modificatioa^ 
as win be desoribed hminafi^, to eDsuie its integrity and inqmyv^ 

Thm are five aspects of tfus inventions improved process, abboi^ ^ 
10 substantiaDy improved even ifmit all oftfaem are present. Ibese aspects are: (1) Preventing 

eavesdropping (2) preventing disassonbly and e?camination (3) detecting tampermg (4) prevoiting 
execution-tracing and (5) ensuring autfaentidty . 

Ibe pretfered embodiment of Aese aq>ects of Ibe present invention will now be described. 

AiDcct 1, Ptewntingwfadroppipg, 

IS As hmnbefefedesaibed» it is desinible to prevent rogue soflwarefiom eavesdrop^ 

Data. By replacing software vrfiidi is vulnmble to eavesdropping with equivalent's 
&r more secure, this puipose is achieved. Toremovethe vulnerability from said equivalent software, 
replacement routines may oonmmnicate direcdy with the hardware of tiie conf>ut^ (for exanq)le, they 
may communicate wtt the keyboard drcuitry instead of using the system-siqiplied (and hence 

20 possibly insecure) sq)plication int^&ce keyboard-entry function-calls.) ^Me disabling system 

intOTiqrtswhidiwouklpemut rogue software to eavesdrop. Said replacement routines are coded to 
store ID4>8ta retrieved in a secure manner. n>-Data is not stored in foD in plaintext (ie: unencrypted) 
in system or application bufiers. 

Agoect 2 Fre vcnt ipg <Ksassembiy and namination^ 

25 As handnbefinre Ascribed, it is (tesirable to hamper dtsassend>ly (or de^oompilation or reverse 

Pti gmMr ing) tit pinteci software againist ea v es dr o pp ing and tanyering. and to hinder examination of 
said software whidi inigbt lead to secret security proUems (»r 

Obfuscating iiis^ can suocessfoUy prevent automatic disassembly. Obfiiscatkn is i^faieved 
by following unconditional jtnq> instructions (ftn* example, Intel JMP ch* CLC/INC combinatiGn or 
30 CALL (wrdiout a return expected) or any flow-of-control altering instruction wfaidi is known not to 
return to the usual place) with one or more dummy op-code bytes vMA will cause subsequent op- 
codes to be erroneoudydisassenMed (for exanyfe, the IntdOxEA prefix wiB cause disassenJ^ 
the aibsequent 4 opKXxles to be incorrect, diq>laying them as ftie ofl^ to tte 
indicated by die OxEA prefix instead of the instructions they actually rqiresent). 

35 Dumniy instructions niay also be induded to hanq>er disassembly by ddibeiat^ 

<«c«ccfitnM iy inin KOwwrnig ft pattirailar fiftw rf cruitfttl will QCtaiT, wben in fact it willnCt. 
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Flow cyf ccntiol can be designed to occur based iq>on CPU fl^ 
instnicdonscxBcutedalGogtime^D. TogediQ^ with tracmg prevention* this makes manual 
disassembly nearly myossiMe. 

Ibe majority of the executable portions of die software can be enoypted for ext^nal storage. * 
5 Ihe de^yption taking place in-aienK)ry after the software is k)aded fiom Memsi sources, under die 
oontndofadeayption*1ieader**^ch prevents its own tanqp^^ lUsmakes 
manual and automatic disassembly nearly inyossible, since die decryption should be designed to ftiil if 
tampenng or traong is delected. 

Aspect 3 DrtrctmytaittDcriDg> 

10 As hereinbeftxre described, it is desirable to detect tanq)mng,sm 

reduction of software security. 

llus can be acineved widi the use of code wbidi is pnitected 
tfarou^ obfiiscation and encryptton, which re-reads its own extenial-nn^ge and conqvares it with its 
known memory ima^ or pieailrnlarf)d chedc-data to detea hot-patchmg Qe: die modification of 
15 software sometime aft^ it has been badedfim disk, but (usually) befi^ 
sectiuu has commenced). 

Additional^, the software can scan die nemcHy hnage of itself one or m(»e times, or 
contiQuoudy» to ensure that une9q>ected ah^aticxis do not occur. 

Certain modificatioQs to die external copy of software are reflected in subde dianges to die 
20 environment in yiUndi the imxlified software will be executed (fin* example: die size of die code, if 
altered, will be reflected in the initial code^size value siq>pUed to the executing program bdng 
incOTrea.). Additionally, certain modification to the opmting system and environment of sai 
software can also be monitored (fi>r example: certain intemqjt vectcnr table pomters in Intel-processor 
appiicatians) to detect unexpected changes by rogue software. These changes can also be detected to 
25 prevent tanq>miig. 

Once tampering is detected, program flow-of-ccntrol needs to be changed so that the potential 
con yro miseassodatedwidiIIM)ata theft is avoided. Ibis may be die security-enhanced program 
ta minat i ng with a message indicating that its iiitegrity has been c o iiyr o m^ ^ 
Data is entaed. Alteiiiativriy, the fiKtdiattan9>mng has been detected niay be k^ secret^ 

30 ID-Data retrieved, however, iinmediately lyon retrieval, die ID-Data entered can be invalidated thus 
preventing access to diat iH^iidi the now potentiaUy oxi^nHiiise^ 
allowed. This latter inediodaUowsftsr die possibility of security^^nhanced so 
or other audiorides that tanqimng was detected and possibly other infi>nnation, sudi as what 
specifically was ahered and by ix^om. Care must be taken to ensure the mtegnty of the ^remote- 

35 infimning^ code befi>re ID-Data entry is pamitted. 

ft wiB be apparent to one dolled in the art of low-level software progr ai i mii i ^ 
aspects described hraran niay be combined to provide substantially stranger sec^ 
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taken on its own. For instance, to combine tamper-detection wifl> encryption, the prec alra i tat ed check- 
data as derived during tanq>ar-detectian described hereinbefbre may actually be cne part of the 
deoyptica^cey^cfa is required to successfUly decrypt the lemai If 
prevendoD-of-iiadng and e nvir o nm ent characteristics (induding debugger detectiGn as described 
5 hereaftg) are additional poitkgis of said decryption4sey, it makes Ae cfcterminatifMi of said 
deciyptiun-key by any person or computer program otfao* than the secure cmgjnal an cAliouely 
diflBcnlt^ if not inq>05stbley task. 

FurtfaCT, it will also be apparent to one skilled in the art of low-level software pr ogr an mung that 
a single construct such as a INE to aha* pn)gram flow<ifHXSitrd after 
10 insufiBdent^aiioetfie JNE construct itself is subject to tanq^^ The denryptkn process described 
herrinbefim is preferabte since thOTe is no single point of altmtion that can 
executaUe that would execute, hdeed, the executable protected with enoyption will not even be 
transformed mto its intended fisnn iftampeiuig is detected. 

Aqycyt4Pre!VtMitmg^iecaft^^ 

IS ^>art fircsn**spoo&ig'*(desaibed in aspect 5 hereafter) the last resoft of a rogue who is 

prevented from disassenibly^ tampermg, and eavesdroppixig on software is to trace the execution of 
said software in order to fecilitate the compromise of its security. Hampmng tracing (tradng is 
sometimes called ddnigging) prevents this. 

There are numerous mediods of detecting a debug-environment (ie: ixAien tracing is taking 
20 place). When combined wttdeciyption and taii9>er<protection as hereinbefbre de^ 

rogues task of detecting and bypassing debug^detection extremely difficult. Reference and exanq^les 
to faitel and MS-DOS environments faXkm hereaft^, ahfaoug^ it wifl be appar e n t to one skilled in the 
art that diese and similar methods are applicable on other platfi>rms. 

Staidard hitdx86 interrupts 1 and 3 are used by ddmggers to fiidhtate By 
25 utilising these interrupts (vibiA are not normally used by normal qjplications) m security-enhanced 
software, it hanqpers c^mgging, since built-in debugging functions are now not automatically 
available. 

Monitoring the system tinier to (kcennme if software execution has q>ent ^ 
accomplishing obtain tasks can detect a situation vAme code tracing has been in efExt and a 
30 breaIq>oint was reached. 

Disabhng the keyboard will hanq>er debuggers, since tradiig instructions are usually issued 
from the keyboard. Similarty, disabling odier places frwn where tracing instructions are usually 
issued (eg: smal ports, prints ports, and mouse) or diq>layed (eg: screen) will also hamper tradng. 

System intemqits can be re-vectored for use widun the secure software to perform tasks not 
35 usually performed by dioseip te n u pts. Debuggers usually rely upon system intmupts also, so to do 
this would usually disable or destroy a ddnigger being used to trace the software. 
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Disabling luteinipts and peifbfimng tmung-'Saisitive instnicdons between Ibem will fiiitfaer 
hanv^debuggb^. When tiadi^ software, instnicdcnsaie usually exec^ 

fix' the user to und^standdieir operation. Many system inte rr upts must occur icgulariy (eg: timer and 
memoiyie-ftesfaopeiationsX so debiggOT usually do not disabte i n te rn ^ oven ¥^ien ihey encounter 
5 an int^iupt-^isabliflig instruction. Iftimers and the like are re-wctcmd in two separate stages, my 
timo^ (etc) intmupt occunring inbetween the two stages will 6^ 

Further, interrupts am be disabled or enabled using obscure means (widi flag-ahering instructions fi>r 
exauq)le) to han9)er tracii^. 

Disoetdy testily tiie status of disabled enabled syst^ fedlit^ 
10 VBCtor-fXHttters) to ensure thai a debi^-erivinimi^ 
hampOT tradog also. 

CatainconQ>nter processors have instiuction caches, bi some drctmistances, it is possible to 
aherthe instructions immediatdy befimihe CPU eoocmntm them, but tibe ah^ed instruction will not 
be executed nonnally because the cache copy has die ''old*' one still, b debug environments, the cache 
IS is usually fhidie4 so any ateed instructions win actually be execn^ Hiis again hampers tracing. 

Uang strong oryptogiafAic schemes, such as DES, or 
eiuunmation of any decryption routines fiom revealing a sin^te 

When tracmg software, the program stack is usually used l^r the debugger 
tracing opmtions or at other times. This is easily detected, and by using die area of the stadc Mduch 
20 will be destroyed by unexpected stack-use for code or critical data, software can be designed to self- 
destruct in this situation. 

Scanningdie co mman d environment and the execution instruction can detect die execution of 
software by unusual mems. Searcfamg for *l>EBlXi** in the oonamandlme, or scanning meniny for 
known debi^gm for exan^le will detect tradng. Additionally, by detectii^vrfiich operating system 
25 process initiateddie load of the software, unexpected processes (eg: debuggm) can be detected. 

Montonng system buflfers (eg: the keyboard memory bufi^) or hardware (eg: the keyboard 
drcuity and internal buff^) for unexpected use (eg: keyboard iq>ut and pr^ 
d^ software is not requesting it) win also detect debuggers, i^Aiicfa usually rdy in part on system 
fanctions in order to opCTate. 

30 Building a process or m]iltq>le processes which are tnuhticnany difficult to trace, sudi as a 

resident or GhiM process ^ch executes during system intariqits or after the pare^ 
terntinated win a^iain hanyg tracing. 

Bypassing systm routines (eg: in DOS, using direct memory writes ins^ 
calls to rovector inteniqpts) wiU forther handier debugging and togoQ software nxxiitoring, as wiU 
35 unraveUiiigtoop constructs (vriiidi win niaketradng long an^ 



Code diecksums and operating-system diedcs (eg: internqit table p^ 
delect debug4maiq>dnt instruction iiiserts or odier modified Using die result of the cfaeckmm 
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for scHiie dTSCQie puipose (eg: ddc^yptiaa, or (much later) control-flow changes) will furdier haiq>er 
tracmg. 

It will be qquuent to one dolled in the ait of low4evel software piograniniing that a 
combination oftedhniques to detect, prevent, and 
S tra^igv^ difficult, if not infxssiUe. At the very least, it will require an expert wi±v^ expensive 
tools and poiiaps sooie und^standing of ^ original software des^ a ver^ 
driwigging progress - a situation vrfiich is recognised in militaiy software security accreditation 
worldwicfe as h^lily desirable. 

Aspect S fcisoriag anthcuticitv* 

10 baccofdanoe with an a^)ectofdie present invendon there is pnivided a medio^ 

for a secure entry of ID-Data in a computra- system conqprising activating a visual diqilay or 
animation and/or audio feedback O^er^ft^ called an atuKoMsoal conq>onent) as part of said 
secure entry of ID-Data so as to hanq[>er emulation of said secure entry p^^ 

Preferably, die mimatton indudes feedback p(»tions as pait of the ID-Data entry process. 

IS Prefeiabiy, the animation is Tq>eatable and varied in accordance with the infi)^^ 

The animation prefaably ccm^rises 2.SD or 3D animation and inchides animation of any ID-Data 
input. 

Preferably, Ae animation is designed to tax the ccmiputer resources utilised and Aereby making 
any foigery thereof more difficult. 

20 Notwithstanding any other forms ^ch may fell widiin the scope of the present invention, 

preferred forms ofthe invention will nowbe desoibed, by way of exanq>le only, with reference to tfie 
accompanying drawings. 

In tfie preferred embodiment of the present invention the user interfece for the acquiring of ID- 
Data is secured iM^aeby the diq>lication of the int^ce is rendered mathematically conq>lex such that 
25 cq»h^-code breaking techniques are required to produce a countar^look-al^ By making 

the authentication intrarfece (ie: ID-Data entry screen - for example: a logon soeen or a screen for 
entering credit card details) unaUe to be emulated, tampered with, or reversed engineered, the 
^[^Ucatton program allows for a higher d^ree of security and authenticity even 
environments such as the Internet or home software applications. 

30 Referring now to Fig.2, Am is illustrated a dassic form of rogue attadc on a coaq>uter 

system. In this fonn of rogue attack, a rogue's "spooT program 22 is inserted between sqyplication 
software 16 and tiieus^ 23. The jq>plicatioQ 16 nonsuiUy has a portion 24 devoted to ID-Data entry 
and wiGcation or die entry of oomm^cially sensitive infixnnation (induding passwords etc) to Ae 
s^licationin»kiitu3ntolhe^ticattoncode2S. Hie spoofprogram 22 is designed to exactly reflect 

35 the presented us^interfeceoflD-Data entry code 24 to the us^. llie user 23 is then ftx^ 

utilising the oiasqu«adingspoofpn)gram 22 as if it was the plication 16. Hence die user can be 
tridced into divulging secret infimnation to Ae spoofprogram 22. An exanqile may indude a dassic 
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"login ^xxyTiTiAiaieia the spoof program 22 prii^ ID-Data entiy) mcssago on the 

screen and the user mistakes the login pnHUpt for a legitimate one, supplying a user name and 
passwmd to diis program 22 ^diidi leocHds this infb^ 

24 of ^Ucation 16 so as not to arouse the suq>idoo of user 23 - or by issuing a message, sudi as 
5 "inccHiect password, please try again" and then passing c(^^ 16. 

RefeTingnowtDFig.4,fhereisiIhistzatBdareI^^ Thisform 
of attadc proceeds sinularity to the spoof attack of Fig2»widitl» fasteadofa 
spoof program 22, a rogue program 41 is tnsrated iK^iicfa secret^ 
24, or on application code 25, or oo opmting system 17, or on hardware 18 <^ 
10 steal sensitive infbnnatiGo directly fiom the legitima^ Since Ite legitimate qi^hcation is 

stiU actually executing, the users suq>iciflo is ruit aroused, since rogro is genially 

invmUetotfaeuscT23. Altamativdy,eacecutable p r ogr am 16 mayhave been tampered wiA (as 
hereinbefcHe described) to reduce its security, alleviating Ae necessity for the presence of rogue 
program 41. 

IS h Fig.S, there is iUnstrated in detail the structure of m^Ucation 50 ccnstructed in 

aceorrlftnce with the pr a fe a'f ^ ^ int ^ i tm CT t rwming on tw uyuiB r hat d waitf 18, Fig.5 is similar to 
F^4 with the important difieienoe diat user 23 ricw ooinnmnicatK 

^K^ucfa are part oflhe secure ID-Data entry program code 31 vriiicfa is utilised by die security^nhanced 
(eg: tanf>OT protected) afq^Iication code 52. It can be seen diat the user 23 no longer communicates 
20 with tteopmtting system I7ortheutq>rotectedconq3uterhanlware 18, thus the rogue program 41 
can no longer eavesdrop on ID-Dab. 

In Fig.3, thm is illustrated, in more general tarns than Fig.5, the structure of an an>bcatioD 30 
constructed in accordance widi die prefered enibodiment vriierein secure ID-Data entry program code 
31 is provided which is extrenielydifficuft to replicate, eavesdrop upon or » Ihe secured ID- 
25 Data entry program code 31 can be created, utilising a tminber of diflBa^ 

Firstly, the executable portion of the secured ID-Data entry code can be protected against 
tracing, disassembly, tanq>CTing, viewaqg, reverse engineering, keyboard entry theft, eavesdropping, 
iKstpatcfaiiig arid othra* attacks by trarisfommg the secured ID4)fi^ fiomits 
normal executable form 16(Fig.2)toacmespondingsecuredformofexecutaUe(ashambefore 
30 desoibed - refe- aq>ects 1 to 4). These techniques are prefeabty applied to die q>plication code 16 in 
gen^ or less pref^bly specifically limited to the ID-Data entry portkx^ 

AdditionaUy, the secure IIMlataentryprogram code 31 is itself oeated. Thiscode31 
preferably conq>rises a cosiq>lex graphical user interfoce series of soieens and animatioo designed to 
make diqphcadon by a rogue thereof extremely di£Bcuk. 

35 Initially, the oooq>lex user iiit^&ce should inchide&dlities to disable any fian^ bufier 

reoofding devices, die disablement oocuning before each fiame is dispbyed 
taddng opmting system is in use, or vriim context switdiirig is enabled, switching out of the 
inteffoce screen is pr^ably disabled or ID-Data entry procedures encrypted or te^^ 
intttfece screen is swsqqied out. The images presented v^difimn part ofthe ID-Data entry screens 



wo 97/04394 PCT/AU96AK)440 

-11- 

comprise complex 3D animation sequences having a hig^ degree of oonq>lexity and extensive use of 
scmn colours and screen resolution in addition to visual design so as to make copying thereof 
extremely difficult. 

The ojmplex computer graphics can be oeated utilising standard tec^ For infimnation 
S on howto create complex 3b imagery* reference is made to "Gmqiuter Graphics, Princq>Ies and 
Practice'' by Foley, Van Dam etal^pubUdied 1990 by AddisonA^TesleyPublidiing Company or otha* 
standard textbooks on generation of conqyuter graphics. Reference is also made to the numerous 
mtexnet news groups archives on graphics and games pipgramimng, q)ecifically to: 
conq).gn4>hics.researcfa, ccxqi.grqdiics.renfbring, coiq>.grq)hics.iaytiaciiig, oonq).grqihics.misc, 

10 conqy.graphics.dtgesty coii;4>>fer^pfacs.aiim^liiMi, conq).graph]cs.algorilfamSy comp.graphics, 
alt.gr^hics.pixatils, alt.gr^hicSy rec.games .programmer, comfy .sysprogrammer, 
comp.sys.ibm.prograimner, con9.sys.ibm.pc.programm^, confy.osjnsdos .programmer, 
c(Hiq>.msdos.programmer, att.msdos.programmer. Refoence is also made to "PC Games 
Pipgr ai mn ei s Frequently Asked Questions'* document available on ibe intmet, via 

15 rec.games.piogiaiumer and dse^^^iere. 

By encoding a oon^iex 3D image vAicfa forms part of the ID-Data entry screens, the hanOe 
requironentofa rogue to reverse engineer the amqykxiniagery is substantia^ Ihe 
inclusion of graphical animation is advantageous in preventing static sCTeen shot duplication attacks 
by a rogue form succeeding. 

20 As noted above, it is prefeable that traditionally difficult grsqyhical programming techniques are 

CTq>loyed i^erever possible, with the aim of making it more detecta b le for a user intmcdng with tfie 
system to discan lesser copies of the animation. Suitable 3D animation can inchide tfie introduction 
of shadows, the lig^itiiig of psaido-3D animated objects, tranqyarent or translucent <4yjects, shiny, 
reflective, or mirrored objects, gravitational effects in animated objects, sing)eHinageHrandom-dot- 

25 st^eogram bitm^ys or backdrops, tranducent threads, effects, such as diffiaction patterns, screen 
madcs, badcdrops, colour palette "animation'', conqylex animated objects r esist ant to sin^yle hidden- 
surfece removal tedmiques known to diose skilled in the art arid directed to hin^^ 

Further, tfie animation can take mto account: 

1. Thwarting attmpts at com p r e ssi on of the ID-Data entry screens . Hiis can be adiieved by 
30 havii^ animation vMA has low visual entropy and having many graqyhical dements v^ch are altered 
fecHnfiraine^frarneinaniaimerwhichishis^discenubletothefam ^art ffim being 

difficult to rephcate, conqylex 3D conqyuter imag^ having low entropy or redundancy will require 
large amounts of stors^ ^ce for a rogue attoiqyt at di^Ucation based on recording the screen ou^ut 
and dierefore be msm readily discernible to the user diould this form of attack be mounted. 

35 2. The animation is fartfag prefaably (fesigned to Awart a successftl replay attack ^cfa is 

based on providing only a subset (bnited number of fiaines)oftiies(mnaniination to a vi This 
can be achieved, for example, by the tndusion of sev^ animated spheres whidi lyounce" around the 
screen and diange cdours in a manner that is recognisable to the viewing user but inUdi is not readily 
rqyeatable. A rqiiayofonly a subset ofthe screen ariirriations to the viewer wUl be hig^evide^ 
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this case when, vpm looping, the user is alerted to a problem vfiben the animaticQ "dqps** or "junT^s" 
aiid does not operate in a previously smooth manner, lliis makes ft difiBcult far a rogue spoof 
program to copy the animation without induding all parts of it. 

3. Most iiq>oitautly, the gnqriucs presorted can be customised to the iqnit data entered. For 
5 CMny le, the infimnatinn entmd by a nser can be fendemd and/nr flnimatflrf }iy thff iffyrpiy TH-riftt^ 
entiyprogramcode31 (F^.3). AsaDexan9te,inanID-Dataentryprograni,^riienattsertypesin 
tfieir us^ naine, the aniixiatiaa can be oeated letter by letter. For eiQ^ 
name XHRIS" each lett^ could be rend^ed diffmntiy depending on diose draracters previously 
typed, F(H-eocatnpte,tfaelett^T'mi8^qq>earasaIarge'1>arbe^ 
10 oohnr, speed, size, and/or posftkn and is sightly tians^^ 

v^ikii is a baduirop to tibe character to be discerned diroug^ the cfaarac^ Fm* exanvle, in the 
above exanq)le, the letter T' would only qypear as the speaBc aninoated barbers pde diat is does if 
the previous letters entered wm "C", IT, and "R** respectively. 

Tha ntiK^arinn of a imign^ ffiMptaiCT t^samnsiituwx bagpd Of) a IISCT^S wyfit ftf mfentBrtinn 
15 sensitive data irtClBases lOe diflBcnlty of aegring any "yiof prngram" sutf^A m fj^ qyK^?^tfi<y| ^fl 

lliis is espedaliy the case since Ae execotaUe code of qiphcati^ 

form. Iheoseof aiMnatlonbeingparticnlartolheofirfainwhi^ ^jh^ rarfgfy iffip fgtfprpd 

particularly advant^eous as the coo^Hitational conq>Iexity of replication is substantially increased. 

A similarly efiBxtive animation technique is to produce only one graphical object after entry of 
20 each portion of ID-Data, such as a consputs'-generated human's &ce, but have the features of said 
&cebedetmiiinedbyahadiorcryptogr^hicfuictioQbasediq>ondw Fcn-exanqple, 
after entry of ftie ID-Data '^CHRIS" (in this exarrple, the individual characters may not, themselves, 
be based on the abovmientioned generation procedure) , a teenage girl's fiice wiA 
andbhieeyesmaybedispls^ed. Iftfre*^** was mstead a the &ce would be entirely difiHsrent. 
25 Hie ID4>ata used fi>r produdng an olQect tor display diould rust be ID4)ata vrtiicfa is dfffpgft'Ml not to 
aiq>earon-6creeni^ien entered (eg: a password), since the display ofa corresponding object would 
give a rogue infiHmation on vriiich to base guesses of the secret n}-D^ 

By utilising cryptography or havirig ccnq>lex fiHnuilas to detmiiine the sequencmg of 
animation, the rogue progr amming ftie corTeyqMhng qxxrf program Aall have to CTadcthe 

30 cryptograjAicsdiemeinofriertogettfaefieletiinnnf 

attadc. bi the abavementicned example, a roguewiOhavetodetenriinediealgoridunfiyrproducirigdie 
fiice, since human beings are adqn at recognising feces, and will immediately notice iftite fece 
displayed on die screen is incmect. Such a technique allows fiy a mathematically secure, visual 
rnedwd to guarantee the auth enti d t y of the software ii<todigenenttestte Hie user of 

35 ti^ software is instructed to note their own particular animation sequence and to immediatdy 

discontmumg utitisatioo of the qjpUcaticn 30 should ftiat sequence ever cfaai^. Hie user may also be 
instructed to contact a trusted person, 9ich as the sq^lier or operator of the aqiplication to confirm 
that the animation secpioDce Aey witness is the audientic sequence intended by said sqyplier. 



Furtiber, the particular animation presented for a particular ai^lication 30 can be fiirdier 
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customised for eadi qyplicadon so as to be distinct (such as by die incorporation of die q)plicatioQs 
name as part of the animated image). 

Fuidi^ hindrance fixr a rogue progranamo' can be mated by hand coding portions of die 
anmatKB in assenridy language so as to generate the maximum possible oon]f>kxity and interaction in 
5 the animation ipith fKft fiighftc* }ffu^ of 4^^} ftpT ipdivifhial wCTtetation co u i puttttH . TUs fiiTth^ laises 
a hurdle alfcywing fiir the easier detectkn of rogue q>orf 

more oonvenknt^ h^^ levd lai^gaage (such as C or C++) yAudi wiD also opmte at a diff e r e ut 
9eed, tbe os^ being instructed to lode fer q)eed diffiraices. 

Furdiery animated scene timir^ cm be utilised, providing anti<4oopi^g and fiame removal 
10 detection is still catmd for. 'Ihearmiiated scene tiinirig allows for a user to detect uriesxpected 
irregularities in a fiequendy presented animated interfece. By including in the animation some 
ddibmte regularity (such as the rhydunic convergence of some parts of the animabon m one 
particular spot), a rogue prpgranmsing a spoof program shall also have to duplicate the preferably 
oonqilex tirrm^ evotts necessary to accomplish this ooovGigence. The regnl^ 
IS tirrurutdiould be high enough so that the user cqiectfi to see certam it 
diffic u lt for a rogue spoof program to copy the s a % nn^ ^^ widiout inrfiMihi g an parts of it. 

Preferably, ^mpossiUe, aO ID-Data is inunediatdy encrypted vvhicfa makes recov^ of the 
ID-Data by a nigue through analysis oftheoon^uter program riiemory difficult. Preferably, public- 
key oyptc^rqshicmediods (eg: Ellqytic-curve, RSAor Diffie-Hdbnan cryptography) shouM beused 
20 makmg it iiupossuUeto revise engineer the cryptographic code to decrypt any sensitive information 
should it be stolen in its encrypted form. Prohibiting all or most intemqsts vriien data is to be entered 
and encrypting or hashing the sensitive infeirmatinn immeHiat^ tfvtf if in only stCTpd partially, or in 
an encrypted form, before ro-enabling inteiiupts is one example of achieving this objective. 

As a fordm akmative, analysis of a user's personal cfaaiactaistics can be mcluded as part of 
25 theinterfiice. This can include a t tempts at rscognitkin of a user's typing st^ (duration of keypresses, 
ddays between subsequent keys, choice of redundant keys, mouse usage c^nirterittfirs, etc) or by 
additional audientication techniques, inehiriing smartcarcb, biometiic inputs such as finger prints 
detectors etc. 

Furdier, die grqjhical animation niutiiies can be "Svatmnarked" by the secure ID-Data entry 
30 program code in that ludden" infi»mation may be incorp o ra te d into the scene (for exanple '*salted- 
diecksunis") to alkiwcarefol analysis ofthe output of secure ID-Data entr^ to 
distinguish between originad gragrfiics animation and co uaterfeil animation. For exanq>le, the hidden 
kiformation may be encoded in the least-significant int of pixel data at selected locations of the 
animation. 

35 The user detmninaMe sequence of animation can akn grtend tn ^ prffvidwl a^f> ynimatinn 

For exmnple, audio nod ether foeifoack techniques inchiding music and qpeaking tones can be played 
in reqxinse to particular key strcdoe Gombinatioos. By utilisiiigdifiEereat voices and/or tones and/or 
volumes and pitches for eadi keystroke or combination, the security of the plication 30 can, once 
again, be substantially increased. The diange in voice intonation will be readily *1earnt" by a user and 
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therdyyfuitiber inhibit a rogue's ability to ^ Of ccuxse, 

die encoding of the voice system diould be in an encrypted fcmn. 

FuifliCT,q)an detecting any atteiyt to sub^ the secure ID^D^ (eg: 
subsequent to detecting tanyering)^ a notificatkn message is prefeably sent to a prosecuting body or 
5 theUkei7rfimtfae2^1icatioa30iscurientiy, orlaterbeocine^ 

Intemet, or by other means (eg: via Modem or by inchiding coded infixmatioD in public or other files). 

F(Mrs9q>licatiaa programs 30 requiring actrvation by a host program executed on a different 
con^m^, a secure means of activatian can be inoorpmated into the Ihehost 
and dioit intmommunicatioD can issue dialkoge and respcnse code autfae^^ 
10 utibstngayptographksystennssucfaaspublic-kqrenaypti^ 

ovmoming data iq>Iay attach and odierdireats designed to tridc the secure dient sq>plication 30 into 
activation. 

It would be q^redated by a person skilled in the art diat the process of oodi^ 
pnicessntilisiig these tecfankpes, together wiAadditicnaltecfam 
IS eavesdropping, and exeoitabte protection techniques inay be iiecessaiy to 
iirta£K». Addittonally, executable encryption, additiottal audi^^ 
desiiabte in producing die protected executable. 

It would be ai^redated by a pmon dolled in the art that numerous corobinatians, variations 
and/or niodifications niay be iiiade to the present invention as described widK^ 
20 ^irit or scope oftfae invention as broadly described. The present embodiments are, tfaerefor&y to be 
considered in aU respects to be iUustrative and not restrictive. 

Summary of the Appiicgtor fof an fanprovcd process of security as hereinbefore dcsaribcd> 

Iheprefored embodiment of the present inventions' mediod O^ereinbefore described as the 
^sqiplicatoO by ^^diicfa to apply an iinproved pn>cess of sec^^ 
25 be described widi refeence to die accompanying drawings. 

Refaring now to Fig. 7» diere is shown a standard format utilised for storing executables on 
di^ oAea occurring in the art, and in particular in conjunction with programs run on the above 
mentioned opoating systems, lie standard executable 16 nonmiUycon^rises a header section 71, a 
code section 72, and a data sectioo 73 . Hie header section 7 1 normally stores a standard set of 
30 infoimation required by the con^uter opmting system 17 (Fig.l) for running of the executable 16. 
Ibis can inchide relocation data, code size etc. The code section 72 is normally provided for storing 
the "algoridumc" portion of the code. Hie data section 73 nomially is utilised to store the data, such 
as coostsmts, or ov^ys 92 utilised by die code section 72 . 

Tuniing iiow to Fig.6, die preferred anfoodiment of an 2qq[>lic^ 
35 takes as its iqnit die executable program 16 mid performs an cdrfuscating step 61, a cqdimng st^ 62 
ami an anti-fay press and audientication step 63 (desaibed hereafter) yriuch perform various 
transfiHmatkns on the executable program 16 to produce a new executable program 30. 



wo 97/04394 PCT/AU96/00440 

-15- 

Tlieobfuscsttmgstq>61 modifies the head^ 71 (Fig. 7) of the executable 16 in addition to 
inserting loadii^ code ixducfawiU be desoftedhei^^ The cfdierstq) 62 eocrypts the existing 
esxecotaUe 16 and calculates check data (eg: a cfaedsum)^ Iheanti^Eey 
press and audientkation step 63 lepboes various insecure systm c^ 
S puflfeiiitbly MSfefft^ code to ^Af^ically rtpicaicait tte micy tiy of said eocpcutable p^i^^anL 

The newly filmed executable 30 (new.exe) can be thai stored on disk aid the iqiphcator 
program 60 completed, the new executable 30 replaciiig die <dd executable program 16. 

When ft is desired to nm the replacement executable imigram 30, the rep^^ 
(new.exe) executes the obfuscating code» previously inserted by applicator 60. The obfuscating code 
10 initkdly decrypts the executable program aiul validates Ae stored db 
(bcr^jted executable. 

The ibr^omg description of the preferred embodiment has been in general tenrs and it will be 
undnstood by those skilled in the art that the invention has gei^ral 
opetatittg systems, indudii^ MS-DOS, .^le Madittofih 0S» OS/2, 

15 The riiostoommoa operating system utilised today is the NfS4X>So^^ This 

operating system is designed to run on INTXL x86 rruaoprocessors and 

historical "quirks'* vMA give rise to greats conqylexity than would perhs^s be odiorwise required 
vAien designing a new operating system fiom "scratch". For illustrative purposes, there will now be 
presented a specific endxxiiment of the prefored onbodiment designed to operate under the MS-DOS 

20 operating system. Unfbitunatdy, the exanple is quite con^lex as it operates in the fiainewo^ 
MS-DOS operating system. Ih^efiHe, it is assumed that the reader is femiliarwidi systems 
programming under the MS-DOS operating system. For an extensive explanation of fte inner 
woridngs of the MS-DOS operating system, refaence is inawie to standard texts in this field. For 
exaiq>k, leferenoeismadeto "PC intern** by Michael Tisdier, puUisfaed in 1994 by Abacus, 5370 

25 52nd Street, S.E. Grand R2q>ids, MI 49512. A second usefU text in tiiisrnatter is "PC Architecture 
and AssenoUy Language** by Barry Cauler, published 1993 by Carda Prints, 22 Regatta Drive, 
Ed^ewater, WA 6027, AustraUa. 

Ihe q>edfic embodinrant of the present invention will be described widi refbence to akmng an 
''EXE" executable program under DOS in accordance with the princq>les ofdie present invention. 

30 Referrii^nowto Fig.9, thefe is shown tiie structure 90 of an executaUe ".EXE** program in 

MS-DOS as nonnalty stored on disk. Thisstructureisdosdy related to Restructure 16 of Fig. 7 
wdiichilhistrates the more geoend case. The stnicture 90 indudes a header 71, odierwise known m 
MS-DOS tCToindogy as the program segment prefix (PSP). Ihis isncmnallyfidksrwedbya 
relocation tabfe 91 vriiidb contains a list of pomtm to variable 

35 updated with an ofi&et address die program is k»ded into a particular^ ^ The 

operation oftherdocation table is well known to diose skilled m the a^ The 
next portion of structure 90 is the code area 72 which contains the madiine instruct!^ 
on the X&6 mi cr op r o c essor. Thb is followed by a pro-am data area 73 ^diich contains the data finr 
codearea72. Finally, dim may exist a nuinber of overlays 92 which contain code which can be 
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RefonngnowtoFig.Sythmissfacnimthestnictiirerf Hie 
table of Fig.8 being reprodiioedfiom page 750 of the abov^ ItslKxildbe 
noted that tfiehead^ 71 indudes a nuniberoffidck including, fin- eKanq)le» a pointer 81 to fte start of 
5 the code 72 (Fig. 7)attdapointer 82totfaereloc8tioatable91 (Fig.9). 

In Ae specific embodinaent, the ^Ucator prograni 60 (F^^ 
foUowing steps: 

0) Ibe executable prv^nmi 16 is opei^fo reading and a detmmnati 

(2) llieheada'71 (Fig.9)ofexecutabteprogram 16isthenieadinandacGpyisstxmd^^^ 
10 applicator program 60. A co|iyoftfae heads* 71 is written out to fiann part 101 of the iiew.exe file 30 

as iUustrated in Fig.10. 

(3) Next^firomtfaefiddsSl, 82oftheheader71 (Fig. 8)adetenninationisniadeofthe5izeof 
rdocatioo table 91 of executable program 16. 

(4) Next»detennination is made oftfae size oftfaeexecutabte code 72 and data 

IS (5) TherdocationtaUe91 istfaenreadintotiieinemoiyofdieqyplicato^ As 

noted prevkmsly.^rriocationtaUe 91 consists of a series oftfae pointers to portions vndiin code 
segment 72 ^K^iidi are required to be qxiated vAen lo^ 

execution, lite rdocation table is sorted 93 by address befimbdng written out to 
executable file at position 102. 

20 (6) Asnctedpreviously, Ae relocation table 91 consists of a smes of pointmint^ 

72. AdetOTninationismadeofthesizeofaoode^knownasAe'^etsafe I"code 104,1hecon 
this code will be described herCTiafter. Next, a search is conducted ofdie sorted relocation table 102 
to find an area between two consecutive pointers within code section 72 ^rfiicfa is of greats magnitude 
tban die size of netsafe 1 code 104. This area 94, designated part Bm Fig.9 is located. If this code 

25 portioned 94 cannot be located the qqplicator program 60 exists widi m mor condition. 

finding code portion 94, the code portion 95, also denoted part A is en 
across to form new code portion 103. Code portion 94 is Aen encrypted and copied to an area 105 of 
new.exe30. The netsafe 1 cocfe 104 is then inserted by applicator 60. Code portion 96, also denoted 
part C is encrypted and copied across to fi^rm code portion 106. Data portion 73 and overlay portion 
30 92 are copied into new.exe 30 as sbown. A second portion ofdrfiiscating code, denoted "^netsafb 2** 
1 07, tfie contents of ^^Mdk will be described heranafter, is then inserted after ov^ays 92 aid before 
code portion part B 105. 

(7) TbeheadCT 101 is dieniqxlated to reflect the altered layout of new.exe executable 30. 
Additionally, the initial a(Uress 109of execution stored in header 101 is altered to be the start of 

35 netsafe 1 portion 104. 

(8) Asmentionedbefbfe, co(fe portions 103, 106 and 105 are subjected to eno^ 
en^jherment in accordance widi stq> 62 of Fig.6. The encryption sdieme utilised can be subjected to 
substantial variation. In this enibodiment»tfieDES standard encryption scheme was utilised. This 
scheme relies on a fifty-sbc bit key for encryption and decryptioa and is wdl known in the art. 
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Once encrypt it is necessaiy to the dectyptm Anumber 
ofdififocntinediodsca&tetidlisedtostCTOthel^^ The preferred inediod is to spieadpcHtiflDs of the 

to different positions wiAinlfae executable 30. For exaiq>te, bits ofihe key can be stored vndm 
theiietsafelcodel04andBetsafe2co(tel07. Additionally, hits of the key can be stored wiflm 
5 head^pcHtion 101. Also, it is envisaged that bits of Ae key can be stored in tibe condition codes 
^cfa are a consequence of exBcuticn ofvarious instructions widiia iietsafe 1 area 104 and netsafe 2 
area 107and/<Mrtfaecpmtinigsysteni 17(Fig.S),^tfieoveranreqm 
later extracted usii^ a predetennined algofidhm. 

(9) llierK^ step is U>patdi the address ofthe start ofcode area 72 and netsafe 2 co^ 
10 107 into tfie required locaticnswithm netsafe 1 area 104. 

Ibe netsafe 1 area is then written to d» file containing new.exe executable 30. 

(10) Thearea 106isthenencTn]tedasafinementionedandwritt^ 
Mowed by overlays 92 and enoypted netsafe 2 code poftxxi 107. 

(11) As wiU become q)parcntheiaiaftar,tq)onerocutto^ 

IS area 107 is responsibtefcH-kading code pcmion 105 owti^ Ihoefore^it 
is necessary to write the rrievant addresses ofthe start and end of code portion 94 to the required 
position widiin netsafe 2 ar» 107. 

(12) As win be described hmmafker^rietsafe 2 area 107 is also re^KXisibie for decrypting the 
encrypted portions of codes 103, 104, 105, 106,and 107andhaicethenetrafe2area 107 must also 

20 store tins combined code size for later use on decryption. 

Finally, a overall cfaedcsum fer new.exe 30 is cakulated and stored at the end of the file at 
portion 108. TTiisdierksiim is btousedtovarifythe decryption procedures' success and to prevent 
the execution of **saambled'* code, whidi wouM be the result if new.m 30 were tampered widi. 

As will be fiirther described hminafter, netsafe code areas 104 and 107 contain code to decrypt 
25 die encrypted areas oftfienew.exe 30, to repatch code portion 105 back to its cv^inal position, and to 
iq)Iace potentially insecure routines ^ easily q>oofed soeens normal^ 
unsafe keyboard drivers) widi an ahmative safe form of routine. 

l^pon 0CBcutkiioftfieiiew.exe executable 30, die executaUe starts at the st^ I, area 

104 (Fig. 11), as tikis address has been previously patched into position 109(fig.l0)ofhea<fer 101 
30 (Fig.lO). Tlie netsafe 1 area 104 then perfonns the following steps (Al) to (AlO): 

(Al) Ibe first stq> is to disable aD the internipts^iartfinom those necessary fo^ 
operation ofthe compute device 18 (Fig. 1) (for exanq)le, inemory refined cannot be disabled). Hie 
disabling of iijiternipts inchides tile disa bling of the fce^^ in order to stop amatair "code 

snoopers" fiom deterniining the operation of the code area 104. 



35 



(A2) llie next step is to iittrapogate the calling eavironinem of tile opoa^ 
ensure tiiat tiie program iiew.exe was iiot called by a debugging program 
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operatioDofttew.exe. Additional^, the data variables necessary for operatioo of netsafe 1 code area 
104 aie defined to be CD Ae operator system stack This 
stadc win change unexpectedly ¥rihen in a code snooping or debuggi^ 
ddn^gga* to cnidi, thereby stopping a it fiom feltow^ 

5 (A4) llieintmupt trap addresses are tfaraah^ in a two sta^ Hie first stage resets 

a fiist part of Ae SEG:OFF address ionnat and occurs al this point wi^ 
lat^ time as win be fiutberdesOTbedbodn below. BystagiiigtbeaheratioDofinlmupttrap 
addresses, any code snoops win be fiiitfaer oonfiised as said tnq) addresses wi^ 

(AS) AnyinpmfiomtliekeyboaniisfuitfierdisaUedlo^inf^^ 
10 system to ignore any recoved keys. 

(A6) Tlieseocnd stage oFtherevectormg of tbe normal debugging interniptSK 
that the normal ddyugging intonqits can be used by the decryption 
tfaraeby wflnng debugging almost impossible. 

(AT) A deck is tiien made to ensure diat the abowpiDoesses have been sttcoessfid in tii^ 
IS debuggo'iolerriqyts do riot point to any deboggeis, the keyboard is stffl 
system has disabled the acceptance of keys from the keyboard. 

(A8) The key fi>r decryption is then reconstructed utilising the reverse process tot 
storing the mibnnation located in the key. 

(A9) Turning now to Fig. 11, there is shown die standard format oftfae executable new.^e 30 
20 vrtten executing in memory. As wiO be weU known to diose dolled in the art, an executing program 
underthe MS-DOS syston win tndude a stack 111 and work space 112. A n»nory aUocation 
(MalIoc)can is then done to set aside an area 113 for the loading in ofdie netsafe 2 code 107 of 
Fig.lO. The disk copy ofriew.exe 30 Oiaving the format shown in Fig. 10) islhen opened by the 
netsafe 1 code llSandanenayptedcopyofnetsafe2 code 107 (Fig.lO) is then loaded in from the 
2S didc file, decrypted and stored in memory area 113. The relocatable points ofthe code contained 
within the netsafe 2 code 1 13 are then updated to reflect die position of die executable in iiie^ 

(AlO) Control is dien passed to netsafe 2 code 113. 

Ihe code area netsafe 2, 1 13 then perfonns the fidfewi^ 

(BI) IhepcHtionofcoderfdiedidc copy denoted part B, lOS (Fig.lO)isreadin fromdiskin 
30 an encr^yted format and written over die dd netsafe 1 code lis. 

(B2) Aswinbefiiitherdescnl)edherraiafter,dienetsafe2area 113indttdesanuni^ 
keyboard routines vriuch are prefoabty stored in an enoypted fennat. 1b^^ 
applythedecrypttontoanyofdieencryptedareasofnetsafe2codearea 113. Afierdec^^ 
netS8fe2area 113 is checksumrnedandtheresuk is tested against a prestcmdchedcsum to ensu^ 
3S intGgr^ofr»tsafe2area 113. 
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(B3) Tte didcoopy ofdiettew.exe is tlm again read m and diecM 
data to ensme that it has not been cfaaxiged. AdditionaUy^anatten^tisinadetoTeadpasttfaeendof 
file of the disk copy of new.exe 30 (Fig.IO) to ensure that no extension (eg: vizal) has occurred. 

(B4) Tlieena9ptedpoitioDsofthemem(^oopy(FigJl)ofttew.exeare1heai^ 
S tdjUsing tite key and once deciyptedL the deoypted poitions are again cfaedoed and tested gainst 
predetenmned data. 

Ibe next stq> in execution of tibe netsafe 2 code 1 13, is to rq>]aoe inseaire (eg: 
system routines witfa a roore secure method. Refeiiiug now to Fig.12, there is shown the current »tdt^ 
ofthenew.exeexecitfable in memory. The inseftionofthe more secure sj^stemnntines Ago proceeds 
10 in aooordanoe with the feUowii^ steps (CI) to (CS): 

(CI) Firstty^aseccndnianory allocation is done to set aside an area SI (F^. 13)fi3rdie 
stmingofthe secure hardware routines (^: keyboard). These routines are then copied firmithdr area 
within netsafe 2 code 113totfffimem(»yarea51. 

(C2) ^toct, the IIH)ata entry nwtinesivrfiich are n^ 
IS iw^ien dealing wMi ID-Data nyut are altered such that» rather ttian pomfing to correspopdmg areas of 
the MS-DOS openrting system 17, Aey point to the corresponding securearea SI. These mtOTiqits 
include interrupt 9 ^^licfa occurs when a key is pressed on a keyboard, interrupt 29b which reads a key 
and interrupt lA^Aiich tests for the presence of a key. 

(C3) TlieexecutaUe 30 (Fig. 13) is thm ready for execution and tiie registers are initial^^ 
20 memory area 1 13 dealkxated&contrd passes to the original start address of executable program 16. 

(C4) It win be eiadeDt,diat when executing, aU keyboard calk (or odierlD-D^ 
other than keyboariO wiU be passed to keyboard (or odier) routines S 1 wiA the keybo^ 
bemg mterrogated direcdy by keyboard routines SI to return mfonnation to tihe calling pi ogrant. 
Keyboard routines SI mchide a copy of Ae correct interrupt vector addresses for each keyboard 
25 routiiie arid each time they are called, a cfaeA is inaiteoftfae inter r upt table to ensure 

been altered. PreforaUy, keyboard routines 51 protect the keyboard hardware by issuing contndlCT 
reset or similar oominands to fludi die keyboard data out of the cin»ftry after sai^ retrieved to 
prevent hardware eavesdroppiiKg, or routines 51 utilise the protected mechanisms of Ae central 
processor to protect said hardware fiom eavesdropping. 

30 (CS) When the executable 30 tCTHnates,imernqit21h (an NfS4X>S standard) is cal^ This 

intOTiyt is also revectoredto a corresponding area of roirtines 51. The termination code of keyboard 
routine area SI restores the conectinterriqitpdnters in interrupt tat^ 131 to po^ 
operatiiig system 17, and dears the iio4cng^Hiee(M pn>gram and data fo^ 
to the DOS operating system by calling the real intOTiqjt 21 . 



35 



Tlie foregoirig desoil^es only one particular end>odiinent of die present 
the operation oftheMS4X)S operating system. It will be evklent to tfusse skilled in the art, that Ae 
priridples oudined in die paiticular emlxidiiiient can be equally ^ 
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accordance widi die objects of ibe present invention. FuiAer, modificatians, obvious to those skilled 
in tiie ait, can be made thereto widiout departing from the scope of the invastion . 

EXPLANATION AND PURPOSE OF CLAIMS 

Claims 1^, and 3 are indq)endent. The invention in daim 1 covers any hi^ security software 
5 protecting nH)ata by utilising anti-q>ytBcfani^^ Claim2isfora 
inethod ofprodnctnghi^ security software, such as, but itotlitmtd ClaimSisfor 
a new process of graphically represeirting the authenticity of hig^ security software, such as, but not 
limited to, Aat in daim 1 or produced by daint 2. 

Claims 4, S, 6, 7, 8, and 9 addprefenedconqxxientstothehig^h-securityenfo^^ 
10 the software in daim 1. OaimlOadckatradng-preventionprefisrrBdcosiqxnenttodaim, 9 

Claims 1 1, 12, 13, 14, IS, 16, 50, and S3 add prefmed con^Kxients to the security-^licator 
mediodof daim2. 

Claims 17 to 49 inclusive and daims 51 & 52 outbnes the specific area of protection th^ this 
invention affinds a coaq)utOT program acting as a uso: inteifioe (eg: ID4)^ 

15 Specifically^ tfacy yecrfies hftgrriiis tnvBtirinn <qylfi*c in fhft ytyffc ^pfirrfw>t^g a» *"t?^rf fg?*"g^ 
counterfeitiug (i.e.: hamperingdiepossibility that a fiike copy of sa^ int^&ce can be successfiiUy 
presented to a USOT to fool said user into entering infi^mation into the fake interfiice), and protecting 
an inter&ce against maUcious (or otherwise) tanq>eTing, examinatioa, emulation, and eavesdropping. 
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CLAIMS 

1. A hi^ security executable program om^rismg: 

(a) purpose-written conqrater input routines within or ^cessed by software on a comp uter system fin* 
the entry of ID-Data (as heraribefixTB defiiied)> and 
5 (b)anti-yyterhniqifes (as hereinbefore defined) widm said 

eavesdroppo^ (as hereinbefore defined) on said ID-Data, and 
(c) tainpa'-<letection tecfariiques (as herenbefere defined) widim 
tainperiiig(ashqre tnb efcredefine<Oand twimiipiffl 
disallow the subsequent entry of n>4>8ta irito said nqiut roi^^ 
10 in order to disallow curiemaiKl subsequent access to Aat which said n>-^^ 
odt^wise allowed 

2. A method ofahering an ordinal execitfableprograrn to form 
program having inoeased security, said mediod comprising the stqps of 

(a) insCTtingob fiis c ating code into a first munberpfpredetCTmined areas of said 
15 and 

(b) encryptiiig poitkins of said exBcutaUe progiam for late^ 

such that, upon exBotftoD of said aheied executabte pfognun, said exec^ 

(c) decryptmgthe abeied executable program; and 

(d) re^oring said altered exeoitable program to said original executable program. 

20 3. Aniediodofprovidingforasecureentryofiiq>utinfoniudoninacoii9^^ 

conq)rising: 

(a) activating a visual diq>lay or animation and/<»r audio feedback Qiereinafter called an audiovisual 
component) as part of said secure entry of ii^mt infomiation so as to haiiq>er emu^ 

secure entry process; and 
25 (b)audioAfisualconq>onerit feedback oftwo or rncHe of 

(c) aD or part of said input infonnatifln; 

(d) all or part of information based upon some transformation of said iiq>ut infonnation; 

(e) aD (M- part of some transformation of all (h^ part of the software conq^rising said audio/visual 
component arid/or the ccsiqyuter operating sy^em iq>on ^ch said audioAisual ccmqKxient 

30 operates. 

4. A rnethod as ciairned in daim 1 additionally ittduding the replacement 

is vulneiabletoeavesdro|q>ing (as hereinbefm defined) with equivalent code vriiich ronoves said 
vulnerability; said equivalent code vrtuch commuriicates directly wiAtiie hardware of the co9iq>uter 
yMie d'oMing system intemqits or <Asr fimctions vMA would permit rogue software (as 
35 hereinbefore defined) to eavesdrop. 

5. A method as claimed in daim 1 additionally induding one <yinore automati c 
disassembly (as hernibefiHe defined) tedmiques of (a) obfiiscatiiig inserts (as hereinbefofe defined), 

(b) dummy instructions (as heranbefim defined), or (c) executable encryption (as hereinbefore 
defined). 

40 6. A niediod as daiined in daim 1 additionally inchiding code to detect tain^ 

hereinbefore defined) by re-reading its own external-image or its internal memory image and 
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comparing said image or a calculated check of said image widi pxeolcuiated check-data or known 
identical equivBlents. 

7. A method as daimed in daim 1 additiaDallyiiichidingcodeto aotoouiticallynnncHy- 
scan the said software one or moie tones before or during execu^ 

5 tanq)enng (as hereinbefore de&oed). 

8. Ametfaodasdaimedin^im 1 additiooaUyindodingcodetostoreorcGinnumicate 
details of delected tan9>eriiig for later examinati^ 

software, and/or other infomation availabte to said lanqie^ 

9. A method as claimed in ^im I additionally includii% code to prevent, or detect and 
10 8id>seqiiently prevent tiacmg, or mistead code del^^ 

trap fiidlittes for the normal operation of said security^enhanced software, and/ormonitmng system 
timers en* indudmg tiinii^-sensitive instructions <»- monitmng 

system haSexs to detect the activi^ of code daggers, and/or disablmg fiiciUties indudingihe 
keyboard, serial pctfts, i»inter pmts, mouse, screen or system intern^ 
IS deSnggers, and/or testiiig that die disabled status is sdDtnieo^ 
debiqaers, and/brnt9fisii% system mterrupts w 
die custom pmposes of said secnrky^enhmoed software, and/or util^^ 
togediOT widi sdfnnodifying code to mislead code debuggers, and/or scann^ 
operating syst^ or execotable^oad-prooess to detect code debugger instructions or environments . 

20 10. A iiiediod as daimedmdaim 9 additionally induding a process or muki^ 

vdudi are resident or diild pnx^esses of said security-enhanced software ^ 
system interriqits afto- the parent process has tmninated in oni^ to hanq>er 

11. A mediod as daimed in daim 2 inAerein said drfuscatii^ code inchides r^Iacement 
25 codes fi)T insecure system routines and said execution ford^ (e)rBpladngthe 

execution of said insecure system routines widi said replacement codes . 

12. A mediod as daimed in daim 2 wheran said stq9s(c> and (d) occur wAiite 
simultaneously substantially disabling eavesdroppmg on the operation of said steps (c) and (d) by 
any rogue program. 

30 13. A nwthod as Ruined in daim 2 iHtoein said step (a) inchides ins^ting a portin 

said obfiiscating code mto die code area of said original executable program. 

14. A mediod as daimed in dahn II indi^nein said st^ (e) inchides altering portions of 
an intmi^ vector taUe to point to said rq>laoement codes. 

15. Arnethodasdaimedindaim2i9iAerdn$aidstq>(b)indudesthestoringofa 
35 decryption key in a phualityofpredetCT mi ned areas of said ahered executable pn 

16. A mediod as daimed in daim 1 5 \riierein said predelmnined areas inchide the 
cnndifion codes of predetCTminBd instnictions of said atoed executable program. 
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17. A method as claimed in daim 3 indxerein said audiovisual component has repeatable 
characteristics during subsequent invocations of said entry process, such that said audiovisual 
GORqxment on each invocation of said entry process has a predetermined resemblance to the 
amhovisnal conyonent of all other invocations of said entry process. 

5 18. A method as daimed in chiim 3 wherein said audiovisual con^onent 

accordance with the mfonnation entered. 

19. A nttthod as daimed in claim 3 ^^nan said audiovisual oonqxjnent comprises 
moving parts and/or inchidfis 2.S^dimensiQpal animarion or 3 wiin^n$icn^! antmati nn 

20. A method as daimed in daim 3 wheran said audiovisual conqxxient indudes a 
10 lepresentatiGn of said input infbimation. 

21. A mediod as daimed in claim 20 )^er^ said iq>ut infi>rmaticn representation 
comprises (a) display of a sin^ graphical object and/or (b) production of a single audio-feedback 
sequence, Bfbsfv the entry of all or part of said input information . 

22. Amediod as chimed in daim 20 i^dieiem said nqnit m&nnattcn representation 
1 S indudes animation of iiq>ut diaracters md/or audible or other fye&ack detramined by input 

characters. 

23. A method as daimed in daim 22 v^^etn the r^resentation of said iiq>ut characters 
varies far each diaract^ based on the result of a predetennined transformation of the preceding 
ui9>uted diaracters. 

20 24. A method as daimed in daim 23 ^^erein said transformation utilises cryptographic 

or hashing methods. 

25 . A method as daimed in daim 3 ^^cti the ease by ^cfa fiudifiil rephcaticn of said 
audiovisual c(Hiq>onent is substantially reduced by indusion in said audiovisual conq>cnent the 
tedmiques cf on soeen shadow rendmng and/or spot or flood scene figjiting eSocis and/or scene or 

25 object shading and/or tranqsarent or translucent d>jects and/or shiny, reflective, or mirrored objects 
and/or real-time animation roughly obeying real worid gravitational efiects and/or single-image- 
random-dot-stereogram bitm^s or backdrops and/or partial scene masking effects and/or foil or 
partial scene distortion or diffiaction efifects and/or animated objects designed to resist sinqsle 
hidden-surfoce rranoval tedmiques and/or animated bitm^s and/or audible edio eflfects and/or 

30 differing audio voice e%Cts and/or di£^ing audio volume and/or difibing audio tones or pitches. 

26. A method as daimed in daim 3 \^erein said audiovisual con^Kxieat is immediately 
recognisable to human bdngs and indudes information whidi identifies to die user the a{^lication to 
^^di said audiovisual conq>onent bdongs. 

27. AniedK>dasdainiedmclaim3^ereindieeaseby^difoithfolrepUcationofsaid 
35 audiovisual canqKnent is ftrther reduced by indusion in said audiovisual conqxxients animation 

object inovenient timing such that at iiear regular and fiequent interval 
obviously recognisable to users of said entry process. 

28. A inethod as daimed in daim 3 vAerein said oitry process indudiiig said audiovisual 
coa^onent utilises a sub^antial portion of die con^utational resources of said computer system. 



wo 97/04394 PCT/AU96rt)0440 

" 24 - 

29. A method as claimed in claim 3 herein said entry process code respcnsible for said 
audiovisual component is coded in the assembly language of die oon^ut^ system. 

30. A mediod as daimed in daim 3 i^erein recording said audiovisual conqKxient by 
said coaq>ut6r system is disabled. 

5 31. Aroelfaodasclainiedinclaim3i9riierein(a)ftefiu:ilityto 

entry process is either disabled, or (b) immediately lyon suyension request, said entry process is 
protected againfst subsequent examination by encryption or by termination and removal from 
memory rf said entry process, or (c) Mdiere the fiicility to aUow die cen^ 
of said computer system to execute code other than the code of, or the code necessary for said entry 
10 process is dther disabled or else said entry process is protected agnin5>t examination. 

32. A mediod as daimed in daim 3 wherein said entry process hangers sin;)le recording 
by ntiligtng the maximum practicable use of audiovisual fiamerate, and/or audiovisual resolution, 
and/or screen colours, and/or audiovisual design in said audiovisual conq^onent on said computer 
system. 

15 33. , A mediod as dainied in daim 3 ^lerein said entry process hanqyers die con^re^ 

of reoonbd output fiom said audiovisual oonq>onent by utiBsiiig hi^ 
the indusion of randcxn or odier noise in said audiovisual component. 

34. A method as daimed in daim 3 iwfaerein said audiovisual component inchjdes 
continuous ou^ut such that the looping of only a subset of said output shall not rq)roduce a copy 

20 largdy indistinguidiable to said audiovisual oon^Kxient. 

35. A mediod as claimed in claim 1 or daim 3 wherein said ID-Data or said input 
information is encrypted with some cryptognq>hic process or hasiied immediatdy upon entry and a 
plain text equivalent is noC stored by said conq>uter system. 

36. A method as daimed in daim 35 i^rfi^m disablement ofone or more intOTU^ 
25 instructions (or equivalent CPU devices) is utilised to protect said cryptog^ 

process of said ID-Data to hamper die recovery of said ID-Data by processes od^ 
process. 

37. A mediod as daimed in daim 1 or daim 3 viiieretn said input routines en* said secure 
entry process preventsthere-vectoringof system interrupts in order to protect said ID-Dat^ 

30 input infoimation fiom bang stden, by means of re-qiplying latoBmpt vector pointers one or more 
times and/or by means of examining intesmxpt assignments in order to perfonn a predetmnined 
function Aould the expected assignments be altered. 

38. A mediod as claimed in claim 1 or claim 3 v^erdn in orcfer to fiirdier audienticate 
aod/ar identify said us^, additional aspects of said ID-Data at said input infonnadon are used 

35 indudingthe duradon of individual key presses and/or moise button presses and/ordie dday 
between ^bsequent individual key presses <»- mouse button presses and/or the us^s selection of 
particular keys iT^ien more dum one equivalent exists and/ordie accderation or vdodty 
characteristics of mouse usage and/or viiere said input information indudes infonnadon from other 
sources induding biometnc and/or snartcard information. 
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39. A method as daimed in daim 1 or claim 3 ^priieretn said iiqmt roobnes or said secure 
aitry process aitffaeitticales itsdf uang (a) executable code checksums of RAM or other images of its 
own executable code and/or data, (b) and/or oon^MuisanofmenKHymtfaodier stored ccpie^ 
executable code, (c) and/or deciypcian of said entfy process ((^ md/or detectioa of executable 

5 taiH)OTng by eoamrnatrop of the executabte's envuomnept (e) and/or coiuparisou of executable size 
with ebqMClfid vahes (0 md/OT by atteofiting to re^ 

diat the size is oonect; parts (a)tfa]ioug|i (f) occui'iiug e^ier upon initial load or during or aftra* 
execitfion ooe or more tmies or oontmually during execution. 

40. A method as daimed in daim 1 or daim 3 ^toiran said irputioutittes or said secure 
10 entry piDcess makes use of system luteriupts to monitor itself in order to detect aheratioo of itsdf. 

41. A method as daimed in daim 39 or daim 40 ^^rfierein said iiqratro^ 

secure entry process incoiporat c s means by vviucfa to notify and/or trananit aufe enti ca tion fiulure 
details to a third person or process should said sdf authentication ftil. 

42. Ametfaodasdainudindaim lordaim3 vtoemsaidiqHitnsutinesor^ 
IS entry process recnds a log ofthe usage and/or detaibofthe user of said 

secure entry process. 

43 . AmedKxlasdanttedindaim I or daim 3 ^primein said iqmt routines or said secure 
entry process incorporates wammgs within tte executable mage indicating diat examinaticn and/or 
tanq>ering is prohibited. 

20 44. A medKxI as claimed in daim 3 herein said audiovisual conqxxient contains 

watermark information incorporated into die scene to allow dose inspection of said audiovisual 
component to distinguish between Ihe genuine process and a dose replica. 

45. A method as daimed in claim 1 or daim 3 ^min said ii^nitniutines or said sec^ 
entry processes loading and/or decryption routines are stored wtdiin the executable image in such a 

25 way as they initially r^lace olh^ entry process routiDes and upon successful decryption and/or 
authentication, said cdiCT entry process roitfines are replaced. 

46. Amediodasdaimedindaim 1 or daim 3 ixdieidn said iiqnit routines or said secure 
entry process hampers executable-code tracing throu^ control-flow dianges in debug environments 
or diroi^ disabling one more system mtenupts and/or disabling the keyboard and/or disabling 

30 the mouse or cdber input devices aiul/cM^mdmg use of 4ie program 

of a debug environment and/or utilising ddiug mtempts for program code operation and/or sdf- 
modificatton of executable code and/or examination of CPU flag registers and/or verification of 
disabled interrupts sdll-disabled state and/or vrnfication of disabled keyboards still-disabled state 
and/<»' toadiog additional executabte code intD ineniory during execution. 

35 47. A inediod as daioffid in daim 1 or daim 3 i^ioeia die executable image of said iiqnxt 

loutmes COT said secure entry process ittdades obfiiscatiiig asseniUy language dummy operation 
codes or mstruction prefixes insiffted after one or more unconditional branches to hssnpct executable 
disassendriy and/cn* decon^ilatkn and/cn- reverse engineeriiig. 
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48. A method as claimed in claim 1 or claim 3 >^erein said input routines or said secure 
entry process is securely aaivated by its activation process and/or a host or server computer using a 
diallenge/Fespoose activation protocol or using public or private key cryptographic methods. 

49. A method as claimed in claim 1 or claim 3 wherein said input routines or said secure 
S entry process is stored outside of said con9>uter system memory in encrypted form and/or ^ere said 

entry process employs techniques to hinder executabl&code tracing and/or executable-code 
disassembly or disclosure or deconq>iIation and/or executable-code tampering and/or executable- 
code hot-patdiing and/or reverse-engineering and/or pre, in, or post-execution executable-code 
recording, cop)!!*!^, eavesdrt^ping or retrieval and/or theft of said input informadon from keyboard 
10 hardware or software or drivers. 



50. A method as claimed in claim 2, II, 12, 13, 14, IS, or 16 fur^er con^rising &e 
inseitimofooe or niOFeconqKXieQts as claimed in daiins 1, 4, S, 6^ 7, 8, 9, IO,orSl. 

51. Aprocess as claimed in daim 3. 17, 18, 19, 20. 21, 22, 23, 24. 2S, 26, 27. 28, 29. 
1 5 30. 31, 32, 33, 34, 35, 36. 37, 38, 39. 40, 41. 42, 43, 44. 45, 46. 47, 48. or 49 further comprising 

protecting all or part of said ix^mt routines or said secure entry process wrOi zero or more 
con^KHients as claimed in claims 1, 4, 5, 6, 7, 8, 9, 10, or 0. 

52. A method for providing for the secure input of information into a con^uter s>'stem, or 
A hifiji security executable, substantially as hereinbefore described with reference to the 

20 zccampsnymg drawings. 

53 . A method of ahering an original executable program to form an altered executable 
program having increased security, substantially as h^einbefbrede^ribed with reference to the 
accompanjring drawings. 
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